Editor’s note: This article was written by Nandi Gurprasad, head of Strategic Partnerships at Ogury. As GDPR and Privacy is usually a tricky topic, we’ve asked them to dive into one of their recommended solutions: Ogury Choice Manager.
GDPR and data-privacy isn’t exactly new. Unless you’re starting up a new business or company, you’ve most likely heard these terms and have a rough idea of what it’s about.
But what a lot of people may not know is that GDPR isn’t a one time thing. The advice from Data Privacy Authorities (DPAs) is evolving, constantly. And a lot of smaller companies tend to set up their policy once and don’t think about it ever again. When in reality, compliance is an ever-evolving process that needs your attention.
To give you an example, advice from the Data Protection Authorities is updating all of the time. In the UK, the Information Commissioner’s Office (ICO) released a report, stating that there is no realistic legal alternative to comprehensive consent collection. That consent notices should provide clarity and give individuals full visibility on what happens to their data. Whereas in France, the CNIL have their own revised list of recommendations, which have been updated to follow strengthened requirements under the GDPR.
As you can see, keeping up with these laws across different countries and regions can be daunting. But you have options.
In-house vs outsourcing
When it comes to managing your user privacy, you have two main routes: do it in-house, or outsource.
Now, this blog is all about outsourcing. So if you do decide to manage this internally, there are some other blog posts out there that you can check out (GameAnalytics did one on GDPR in 2018 here).
But, as experts in this area, we thought it best to give you the low-down on what you should look out for when picking a third-party company for your consent collection needs. Whether you decide to use us, or go with someone else, it’s important to get past the jargon and make sure you know what should be on your data-privacy checklist, when it comes to consent collection.
These platforms usually make it easier, safer, and faster when managing player consent (and helps you avoid some hefty fines, too). But for sure, finding the right one for you can also be complicated, especially if you don’t particularly know what you should be looking for.
Compliance: data privacy in a nutshell
Before we dig into the solution, let’s talk about the problem.
Any data used to drive advertising revenue and monetization of your app, must comply with regulations such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). And regulations aren’t stopping there. Many countries across the world, including Mexico, Singapore, Japan, and Australia are also creating new laws of their own.
In short, any app publisher who tracks player behaviours for either analytics, advertising, or any other reason, will need consent. You need to collect consent from your players, for every vendor or purpose, and they (and you) must comply with a variety of constantly-changing privacy laws in the regions where your games are published. It’s extremely important to keep on top of these changes, as you, the game publisher, is liable for any infringements, meaning you are open to financial, reputational and legal risk.
Which is why Consent & Preference Management Platforms are becoming so popular.
What is a consent and preference management platform?
Consent and Preference Management Platforms (CPMPs) help you collect, manage, and consolidate all of your players’ choices around their personal data, and are administered in your own websites and apps.
Since GDPR came into effect, numerous tools have popped up in the market, allowing you to manage player consent to some extent. However, they can be quite different, and not all of them may necessarily work for your specific needs.
So, to lend you a helping hand in which one you should go with, here’s a checklist you should adhere to:
What you should be looking for when it comes to a CPMP
1. Makes collecting consent easy and clear
Every tool will deliver a consent notice to its players. However, as you may already know, it’s super important to adapt the message to your audience. You’ll want to have a platform that’ll let you customize your messages, otherwise, you could lose confidence from your players.
A good consent notice should:
- Inform the players about what data is being collected, for what purposes, and who will receive that data.
- Let the user refuse consent as easily as they can give it, individually to data processing purposes (like analytics or advertising) and vendors, without pre-checked boxes or default settings set to opt-in.
- Be clear, concise, and written in plain language. Consent notices should be served in native language wherever possible to ensure utmost clarity.
2. Manages consent – stay on top of things
The responsibility of the app publisher doesn’t finish once they’ve collected the consent. To comply with most privacy regulations, players should be able to update their preferences or opt-out easily at any point. And even if they don’t opt-out, you should only keep user data for a certain period if consent is not renewed.
Your CPMP should:
- Make it easy for the user to change consent settings. You should provide opt-out options that are easy and intuitive for users.
- Renew consent periodically, allowing users the opportunity to reassess the value exchange for giving their consent.
- Allow you to easily edit or add to your partner vendor list, and update terms to reflect changes in corporate policy or legislation.
- Trigger new consent notices to users when terms have been changed, or new vendors are added to the partner list.
- Avoid requiring forced consent to use your technology or content.
3. Provides Traceable and Trusted Consent
This is where the data came from (the source). You may say ‘well, it came from my game’ but what’s important is country, time, date, what consent version it was, etc.
Your CPMP should:
- Make sure that the consent collected from the end-user is valid.
- Keep clear and referenceable records of consent gathered, from who, when, and what version of the notice to which the user agreed.
- Be able to show when consent was withdrawn or changed clearly if the user updated preferences.
4. IAB Transparency & Consent Framework (TCF) approved
The IAB (Interactive Advertising Bureau) is an advertising business organization that develops industry standards, conducts research, and provides legal support for the online advertising industry. If your game monetizes with ads, it’s beneficial to adhere to their standards.
Their Transparency and Consent Framework (TCF) may not be a familiar term, but for any organization managing user consent and preferences, it’s an important one. It provides an industry standard approach to how information is provided and consent is collected, stored and updated in accordance with GDPR. It’s a good practice to follow.
In fact, version 2 of the TCF is fast approaching. Coming into play on 15th August, it seeks to provide both users and publishers with greater transparency and control, in line with the advice given by the Data Protection Authorities. Your CPMP should be ready for this.
Adhering to TCF V2.0, your CPMP should:
- Not only let the user give or withhold consent, but also allow them to exercise their ‘right to object’ to data being processed on the basis of legitimate interest.
- Enable greater transparency for the user, through more detailed descriptions of the purposes of data processing.
The GDPR does not stipulate that you must implement a CPMP, but IAB approved CPMPs are the easiest solution if you’re looking to successfully manage player consent.
Is this the best route for your studio?
Making sure you’re compliant is tough. And time-consuming. And fiddly.
We get it. Which is why we made sure Ogury Choice Manager (our IAB TCF V2.0 certified CPMP), is 100% free for developers, studios, and publishers. Because the last thing we want to see is a brilliant game suffering because of small, easy-to-make mistakes.
In this article, we’ve given a pretty top-level overview of what we do best, but there is still a lot to cover. If you have any questions at all about this topic, feel free to reach out to one of our experts. You can get in touch through GameAnalytics’ GameDev Toolbox here. (We usually reply within 24 hours.)
Heads up. As mentioned above, the deadline to update to the IAB Transparency and Consent Framework (TCF) V2.0 is fast approaching. We recommend you look into this (before the August 15 deadline) if you haven’t already. It’s an important framework to follow when making sure your studio is compliant, plus the TCF V1.1 framework will soon be no longer supported.